-
Bug
-
Resolution: Done
-
Blocker
-
None
-
OSSM 2.5.0
-
None
With the latest 2.5 proxy build, the TestSSL test case is failing.
The command
./testssl/testssl.sh -P -6 productpage:9080 || true
in the testssl pod fails on:
Using "OpenSSL 1.1.1g FIPS 21 Apr 2020" [~85 ciphers] on testssl-84789b6c48-ljpxf:/usr/bin/openssl (built: "Mar 25 16:46:53 2021", platform: "linux-x86_64") Start 2024-02-20 09:12:24 -->> 172.30.44.247:9080 (productpage) <<-- rDNS (172.30.44.247): productpage.bookinfo.svc.cluster.local. ./testssl/testssl.sh: connect: Connection refused ./testssl/testssl.sh: line 10326: /dev/tcp/172.30.44.247/9080: Connection refused Oops: TCP connect problem Unable to open a socket to 172.30.44.247:9080. ./testssl/testssl.sh: connect: Connection refused ./testssl/testssl.sh: line 10326: /dev/tcp/172.30.44.247/9080: Connection refused
update:
I also noticed that when I run that command from `testssl` pod, the `istio-proxy` container in the `product` pod is restarted.
2024-02-20T09:32:07.727518Z info cache returned workload trust anchor from cache ttl=23h59m59.272485027s [2024-02-20T09:33:45.512Z] "- - -" 0 NR filter_chain_not_found - "-" 0 0 8 - "-" "-" "-" "-" "-" - - 10.128.2.146:9080 10.129.3.147:53968 - - 2024-02-20T09:33:45.731817Z critical envoy backtrace external/envoy/source/server/backtrace.h:104 Caught Segmentation fault, suspect faulting address 0x0 thread=28 2024-02-20T09:33:45.731857Z critical envoy backtrace external/envoy/source/server/backtrace.h:91 Backtrace (use tools/stack_decode.py to get line numbers): thread=28 2024-02-20T09:33:45.731860Z critical envoy backtrace external/envoy/source/server/backtrace.h:92 Envoy version: ae3bbc4313b45af63777a2588388796d74221cfd/1.26.8-dev/OSSM 2.5.0-1/RELEASE/OpenSSL thread=28 2024-02-20T09:33:45.732123Z critical envoy backtrace external/envoy/source/server/backtrace.h:96 #0: __restore_rt [0x7f5e9fec9cf0] thread=28 2024-02-20T09:33:45.743869Z critical envoy backtrace external/envoy/source/server/backtrace.h:96 #1: Envoy::Extensions::TransportSockets::Tls::TlsContext::isCipherEnabled() [0x55ec4937e91a] thread=28 2024-02-20T09:33:45.755545Z critical envoy backtrace external/envoy/source/server/backtrace.h:96 #2: Envoy::Extensions::TransportSockets::Tls::ServerContextImpl::isClientEcdsaCapable() [0x55ec4937e8cf] thread=28 2024-02-20T09:33:45.766882Z critical envoy backtrace external/envoy/source/server/backtrace.h:96 #3: Envoy::Extensions::TransportSockets::Tls::ServerContextImpl::selectTlsContext() [0x55ec4937f03c] thread=28 2024-02-20T09:33:45.766986Z critical envoy backtrace external/envoy/source/server/backtrace.h:98 #4: [0x7f5ea0db186e]thread=28 ConnectionImpl 0x55ec4e578340, connecting_: 0, bind_error_: 0, state(): Open, read_buffer_limit_: 1048576 socket_: ListenSocketImpl 0x55ec4dfebb80, transport_protocol_: tls connection_info_provider_: ConnectionInfoSetterImpl 0x55ec4e55ca60, remote_address_: 10.129.3.147:53974, direct_remote_address_: 10.129.3.147:53974, local_address_: 10.128.2.146:9080, server_name_: productpage 2024-02-20T09:33:46.811366Z info ads ADS: "@" productpage-v1-7c5c65566c-l54hv.bookinfo-2 terminated 2024-02-20T09:33:46.811461Z info ads ADS: "@" productpage-v1-7c5c65566c-l54hv.bookinfo-1 terminated 2024-02-20T09:33:46.811764Z error Envoy exited with error: signal: segmentation fault (core dumped) 2024-02-20T09:33:46.811895Z error error serving tap http server: http: Server closed
update2:
When I removed an additional tls config from SMCP, the script was able to connect and start showing some info
Testing server preferences Has server cipher order? yes (OK) -- TLS 1.3 and below Negotiated protocol TLSv1.3 Negotiated cipher TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519) Cipher order Oops: openssl s_client connect problem ./testssl.sh: connect: Connection refused
till the `Segmentation fault` crashes the whole container.
- is caused by
-
-
- Closed
-